Personal View site logo
Adobe hacked, all passwords, credit cards, sources of products leaked
  • Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

    This is big. All their customers affected.

    We are also investigating the illegal access to source code of numerous Adobe products

    They also leaked sources. LOL.

    As I understand they can just could make it short - hackers got all and everything that Adobe had. Data on every customer, all sources, etc.

    http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html

    40GB of compressed source codes. Hmm.

    http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

  • 25 Replies sorted by
  • Any thoughts on what steps to take as a customer? Just went in and changed my password, but beyond that, no information from them, no notices...

  • @kellar42

    If you used credit card for payment - call to bank and block it.

  • @Vitaliy_Kiselev Do you mean actually cancel the credit card and request a new one?

  • @matt_gh2

    On credit card you must have phone, call it and explain situation.

  • Ok - thanks.

  • Much thanks for the heads up V!!

    I just cancelled my card that was on file with Adobe!

  • Most people do not realize full scale of that happened.

    1. Not only sources leaked, but it seems like Adobe sources in their VCS were compromised. As they now talk about introducing some fast fixes. And it seems like they have little idea about parts and time of such actions.
    2. Leakage of Reader and Flash sources can mean big virus and botnets activity rise due to research of any potential holes.
  • PCI data and a portion of customer data will be encrypted. There's mention in the communication that encrypted data being taken, but without private keys it'll need decrypting - although there's no mention if the cyphers have been compromised too. I assume not.

    I'm not jumping to cancel cards, but the diligent thing to do would be to reset your password immediately.

  • PCI data and a portion of customer data will be encrypted. There's mention in the communication that encrypted data being taken, but without private keys it'll need decrypting

    Thing that you see in Adobe statement must be in it :-) As they need to tell that they comply with card companies rules. But I have very high doubts to believe company who seems to only realize about huge breach due to information from third parties and after they lost all information from their internal network (included most important product sources). Most probable is that attackers were deep enough and all keys leaked. But if Adobe told true in this respect it really meant total disaster from business side of things.

  • Typically keys to PCI stuff is protected via some form of hardware security module (HSM) - typically! I don't trust Adobe too much, but I think they're handling this fairly grown up so far which gives my hope that they do some things right. If it's plain text hashed or file based cert store, then shoot me in the face.

    Not 100% confidence inspiring when they say "At this time, we don't believe the credit or debit card numbers taken from our systems were decrypted.". If the keys have been compromised, Adobe just stepped into a world of mega-pain.

  • @Vitaliy_Kiselev Any chance reecnt updates tp software via creative cloud could have been compromised with viruses by these hackers? In other words, any risk to using latest versions of Premiere Pro, Audition, Speedgrade etc?

  • @matt_gh2

    I have no idea. Most probably not. I think main target was their more popular stuff.

  • Updates are typically CRC checksummed. So any change in source won't get validated and therefore distributed. However, again...we don't know how Adobe run their black box in the cloud so anything is possible. Personally I'd hang fire on the 'update' button for the next 24 hours until the dust settles.

  • @itimjim

    Thing is breach was not in the updates executables. Breach was at VCS level. So all build procedures run fine, including signing. And it happened quite long time ago as far as I understand.

    Check second link in top post.

  • Thanks for the sensational info, Vitaliy, Adobe is so slow and reacts so late: several days after they were hacked, I've got today this e-mail from Adobe:

    Important Password Reset Information
    To view this message in a language other than English, please click here.
    We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.
    To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.
    We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.
    Adobe Customer Care

    My comment is: Adobe attended to get a lot more money from their customers introducing the cloud system recently. But now they might lose even more. The Damnation Game?

  • Thanks Vitaliy! I'm not sure how I missed this but it sure is nice of Adobe to wait till now to inform me. It's been nearly a month since you posted it and you said it was old then.

  • Usernames and encrypted passwords from around 38 million active Adobe users were stolen as part of a cyberattack first detailed earlier this month, reports Krebs on Security. Though Adobe originally reported that information on 2.9 million customers had been compromised, it now tells Krebs that the number is far higher and that it has been resetting the passwords and notifying the owners for all of them. The initial 2.9 million accounts also had credit card information associated with them.

    Source code for Photoshop, Acrobat, Reader, and ColdFusion were also taken, reports Krebs. Some of the source code and account information has reportedly been posted online since the data breach.

    Adobe explained details of the breach, including that the attacker had decrypted some accounts' credit card numbers using Adobe's own systems.

    http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

  • This means people with access to the sources can generate files that seem to be signed by Adobe but contain malware?

  • "....attacker had decrypted some accounts' credit card numbers using Adobe's own systems."

    YIKES!!! :-o

    Makes me kinda glad now I've never purchased anything from Adobe.... there is something perversely wrong with the system when the "illegal" way ends up being safer and better than the legal method. :-/

  • @IronFilm Makes you think, doesn't it?

  • Great joke in the right circles.. "Did you hear Adobe is now open source..?"

  • More fun:

    See, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. But as soon as we have that key, we can instantly crack all of them. So for this particular leak, we're not trying to crack individual passwords — we're trying to crack the encryption key.

    http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/

    http://www.zdnet.com/just-how-bad-are-the-top-100-passwords-from-the-adobe-hack-hint-think-really-really-bad-7000022782/

    Adobe did not use normal approach with hashing, instead they just encrypted the passwords. 100 top passwords are already found.

  • It all becomes better and better:

    A huge dump of the offending customer database was recently published online, weighing in at 4GB compressed, or just a shade under 10GB uncompressed, listing not just 38,000,000 breached records, but 150,000,000 of them.

    http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

  • My account was compromissed yupiiii, did Adobe informe me? No. Check yours here - LastPass